CVE-2025-27127Unrestricted File Upload in Siemens TIA Project-server

CWE-434Unrestricted File UploadCWE-367Time-of-check Time-of-use (TOCTOU) Race Condition4 documents4 sources
Severity
5.3MEDIUMNVD
GHSA5.0
EPSS
0.1%
top 73.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Siemens TIA Project-serverSiemens TIA Project-server V17Siemens Totally Integrated Automation Portal V17+3 more
Timeline
PublishedJul 8
Latest updateFeb 23

Description

A vulnerability has been identified in TIA Project-Server (All versions < V2.1.1), TIA Project-Server V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions < V19 Update 4), Totally Integrated Automation Portal (TIA Portal) V20 (All versions < V20 Update 3). The affected application improperly handles uploaded projects in the

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages6 packages

CVEListV5siemens/tia_project-server< V2.1.1

🔴Vulnerability Details

3
GHSA
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding2026-02-23
GHSA
GHSA-9rr2-q86m-gg2c: A vulnerability has been identified in TIA Project-Server (All versions < V22025-07-08
CVEList
CVE-2025-27127: A vulnerability has been identified in TIA Project-Server (All versions < V22025-07-08
CVE-2025-27127 — Unrestricted File Upload in Siemens | cvebase